The delete post button is not working for me, can one of the moderators please delete this post for me. Thank you.

I desided not to ask the question afterall because it could provide scipt kiddies reading this post with information on how they can gather information which could be used in bad ways. Sory.

May 17th, 2003, 07:13 AM

t2k2

Aww hell, just post it Homey! That's why the top banner says "Hackers know the weaknesses..." Go ahead and post it. Just look at it this way, you may be helping someone that has no idea that a certain weakness/vulnerability exists. Share the knowledge...don't be stingy... ;)

Ive been learning how error 404 and HTTP GET requests can be used to gather information from a server, and since im not entirely compatent of my security I am trying to disguise myself as a Apache server running on Red Hat.

I have customised my Server Tokens to Identify myself as Apache on red Hat linux. And I learned how to make a custom error 404 page for my server, removeing the information from the bottom.

I also disabled HEAD requests, Im second guessing my dessision to do so.

Noticed that netcraft.com can still detect what server and operating system I am running and I guess my questions are:

1) is it nessisary to hide or fake this information, and is this common or rare?

2) Was reading the FAQ at netcraft and they say they get the information from HTTP respince headers. I checked mine and it says apache/2.0.0 (Red Hat Linux) are there other ways of interpting the headers, can you speculate on how they might have goten around my faked info?

May 17th, 2003, 08:05 AM

t2k2

I am not sure that you can change all of the signature responses from an IIS server. Try running a sniffer to follow the connection establishment and data transferred between the web browser and server. You can use something like Snort or TCPDump/Windump. There are many others, but I know that you can view it with these two. If I am right, then you will actually see your webserver identify itself as an IIS version whatever server.

I never thought of useing a sniffer and hapen to have one I downloaded the other day for testing a web app I was makeing. thank you for the sugestion

May 17th, 2003, 08:16 AM

t2k2

No problem, here to help. ;) Post your results... I'm curious to see what you find.

t2k2

[edit]If you have the chance, try an NMAP fingerprint of the server as well. You can get it from Insecure. Maybe that will shed some light as well.[/edit]

May 17th, 2003, 08:37 AM

journy101

Still trying to figure out how my sniffer works, never used one befor. But by mourning I should have figured it out and have some usefull output. Im learning alot already, it was a good sugestion. Also took note of NMAP fingerprint however im not sure if it was NMAP or another tool but once before when I had it gave me an error about scanning localhost. I will try it again.

Will post my results when avaialbe, im very interested because netcraft.com corectly identified my server dispite all atempts i made to hide or mask its identity.

May 17th, 2003, 10:31 AM

slarty

Several things:

- Netcraft identify the web server from the "Server" header. On most web servers, this cannot be removed or customised. On Apache, it can be reduced to "Apache" from "Apache-1.3.27 (Unix)" or whatever. On IIS it can be modified by 3rd party products.

- Netcraft identify the OS from the TCP characteristics of the machine. This cannot be changed easily on most systems (although there are a number of efforts to do so). It is likely to be difficult to make a win98 box look like Linux (although you might have more success making a Linux box look like win98). In particular, you can't make the OS better at choosing initial TCP sequence numbers.

- I wrote a program which attempts to identify web servers even when the "Server:" header is absent or lying, info is available here http://projectz.org/?id=142 (I don't yet have a signature for any of the less common web servers)

Hope this is useful to someone. :)
As for your webserver, do you know how dangerous it is to run a webserver on a system that lacks access controls? Aside from that, there should be something in the docs, or just contact who made it and ask them what is wrong, maybe your system was cached on netcraft before the change?
I personally don't see the need to try and hide what you are running, normally it takes an attacker all of one request to tell that you lied in the response and worms don't care. For the effort required of setting a 0 to a 1, I suppose it might have some net gain of protection over effort though, but only cause the effort is so minimal.